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Abstract. We present an algorithm that, on input of a CM-field K, an 
integer k > 1, and a prime r = 1 mod k, constructs a q-Weil number 
7r 6 Ok corresponding to an ordinary, simple abelian variety A over 
the field F of q elements that has an F-rational point of order r and 
embedding degree k with respect to r. We then discuss how CM-methods 
over K can be used to explicitly construct A. 

1 Introduction 

Let A be an abelian variety defined over a finite field F, and r ^ char(F) a 
prime number dividing the order of the group ^4(F). Then the embedding degree 
of A with respect to r is the degree of the field extension F c F(Cr) obtained by 
adjoining a primitive r-th root of unity £ r to F. 

The embedding degree is a natural notion in pairing-based cryptography, 
where A is taken to be the Jacobian of a curve defined over F. fn this case, A is 
principally polarized and we have the non-degenerate Weil pairing 

e r : A[r] x A[r] — > \i r 

on the subgroup scheme A[r] of r-torsion points of A with values in the r-th 
roots of unity. If F contains C, r , we also have the non-trivial Tate pairing 

t r : A[r](F) x A(F)/rA(F) -> F*/(F*) r . 

The Weil and Tate pairings can be used to 'embed' r-torsion subgroups of A(F) 
into the multiplicative group F(£ r )*, and thus the discrete logarithm problem 
in A(F)[r] can be 'reduced' to the same problem in F(£ r )* [6,3]. In pairing- 
based cryptographic protocols [7], one chooses the prime r and the embedding 
degree k such that the discrete logarithm problems in A(F)[r] and F(£ r )* are 
computationally infeasible, and of roughly equal difficulty. This means that r is 
typically large, whereas k is small. Jacobians of curves meeting such requirements 
are often said to be pairing-friendly. 
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If F has order q, the embedding degree k = [F(£ r ) : F] is simply the multi- 
plicative order of q in (Z/rZ)*. As 'most' elements in (Z/rZ)* have large order, 
the embedding degree of A with respect to a large prime divisor r of #A(F) 
will usually be of the same size as r, and A will not be pairing- friendly. One is 
therefore led to the question of how to efficiently construct A and F such that 
A(F) has a (large) prime factor r and the embedding degree of A with respect 
to r has a prescribed (small) value k. The current paper addresses this question 
on two levels: the existence and the actual construction of A and F. 

Section 2 focuses on the question whether, for given r and k, there exist 
abelian varieties A that are defined over a finite field F, have an F-rational 
point of order r, and have embedding degree k with respect to r. We consider 
only abelian varieties A that are simple, that is, not isogenous (over F) to a 
product of lower-dimensional varieties, as we can always reduce to this case. 
By Honda- Tate theory [10], isogeny classes of simple abelian varieties A over the 
field F of q elements are in one-to-one correspondence with Gal(Q/Q)-conjugacy 
classes of q-Weil numbers, which are algebraic integers tt with the property that 
all embeddings of tt into C have absolute value ^Jq. This correspondence is given 
by the map sending A to its g-th power Frobenius endomorphism tt inside the 
number field Q(tt) C End (A) <g> Q. The existence of abelian varieties with the 
properties we want is thus tantamount to the existence of suitable Weil numbers. 

Our main result, Algorithm 2.12, constructs suitable g-Weil numbers tt in a 
given CM- field K. It exhibits 7r as a type norm of an element in a reflex field of K 
satisfying certain congruences modulo r. The abelian varieties A in the isogeny 
classes over F that correspond to these Weil numbers have an F-rational point of 
order r and embedding degree k with respect to r. Moreover, they are ordinary, 
i.e., 4fA(F)[p\ = p 9 , where p is the characteristic of F. Theorem 3.1 shows that 
for fixed K, the expected run time of our algorithm is heuristically polynomial 
in logr. 

For an abelian variety of dimension g over the field F of q elements, the group 
A(F) has roughly q 9 elements, and one compares this size to r by setting 

P= 9 -^. (1-1) 
logr 

In cryptographic terms, p measures the ratio of a pairing-based system's required 
bandwidth to its security level, so small p-values are desirable. Supersingular 
abelian varieties can achieve p- values close to 1, but their embedding degrees 
are limited to a few values that are too small to be practical [4,8]. Theorem 3.4 
discusses the distribution of the (larger) p-values we obtain. 

In Section 4, we address the issue of the actual construction of abelian vari- 
eties corresponding to the Weil numbers found by our algorithm. This is accom- 
plished via the construction in characteristic zero of the abelian varieties having 
CM by the ring of integers Ok of K, a hard problem that is far from being 
algorithmically solved. We discuss the elliptic case g = 1, for which reasonable 
algorithms exist, and the case g = 2, for which such algorithms are still in their 
infancy. For genus g > 3, we restrict attention to a few families of curves that 
we can handle at this point. Our final Section 5 provides numerical examples. 
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2 Weil numbers yielding prescribed embedding degrees 



Let F be a field of q elements, A a g-dimcnsional simple abelian variety over 
F, and K = Q(tt) C End (A) (g> Q the number field generated by the Frobenius 
endomorphism tt. Then tt is a q-Weil number in K: an algebraic integer with 
the property that all of its embeddings in Q have complex absolute value ^Jq. 

The g-Weil number tt determines the group order of A(F): the F-rational 
points of A form the kernel of the endomorphism tt — 1, and in the case where 
K = Q(ir) is the full endomorphism algebra End (A) ®Qwe have 

#A(F) =N* /Q (7T-1). 

In the case K = End(A) ® Q we will focus on, K is a CM-field of degree 2g 
as in [10, Section 1], i.e., a totally complex quadratic extension of a totally real 
subfield K c K. 

Proposition 2.1. Let A, F and tt be as above, and assume K = Q(tt) equals 
EndF(A) £g> Q. Let k be a positive integer, <Pk the k-th cyclotomic polynomial, 
and r \qk a prime number. If we have 

N K/Q (n-1) = (modr), 
<?fc(7T7f) = (mod r), 

then A has embedding degree k with respect to r. 

Proof. The first condition tells us that r divides #A(F), the second that the 
order of tttt = q in (Z/rZ)*, which is the embedding degree of A with respect 
to r, equals k. □ 

By Honda- Tate theory [10], all g-Weil numbers arise as Frobenius elements of 
abelian varieties over F. Thus, we can prove the existence of an abelian variety A 
as in Proposition 2.1 by exhibiting a g-Weil number tt £ K as in that proposition. 
The following Lemma states what we need. 

Lemma 2.2. Let tt be a q-Weil number and F be the field of q elements. Then 
there exists a unique isogeny class of simple abelian varieties A/F with Frobenius 
7r. If K = Q(7r) is totally imaginary of degree 2g and q is prime, then such A 
have dimension g, and K is the full endomorphism algebra Endp(A) ® Q. If 
furthermore q is unramified in K, then A is ordinary. 

Proof. The main theorem of [10] yields existence and uniqueness, and shows 
that E = Endp(A) <g> Q is a central simple algebra over K = Q(ir) satisfying 

2-dim(A) = [E : K]i[K : Q]. 

For K totally imaginary of degree 2g and q prime, Waterhouse [12, Theorem 6.1] 
shows that we have E = K and dim(A) = g. By [12, Prop. 7.1], A is ordinary if 
and only if tt + ff is prime to q = tttt in Ok ■ Thus if A is not ordinary, the ideals 
(tt) and (W) have a common divisor p C Ok with p 2 | q, so q ramifies in K. □ 
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Example 2.3. Our general construction is motivated by the case where K is 
a Galois CM-ficld of degree 2g, with cyclic Galois group generated by a. Here 
a 9 is complex conjugation, so we can construct an clement it e Ok satisfying 
7T(T s (7r) — 7T7f e Z by choosing any £ <G Ok and letting 7r = nf=i 0-2 (0- F° r such 
7r, we have 7T7F = N K /q(£.) € Z. If N K /q(£.) is a prime q, then 7r is a q-Weil 
number in if. 

Now we wish to impose the conditions of Proposition 2.1 on n. Let r be 
a rational prime that splits completely in K, and r a prime of Ox over r. For 
i = 1, . . . , 2g, put ti = cr~ 4 (t); then the factorization of r in Ok is rO^ = Ili=i r «- 
If a, G F r = is the residue class of £ modulo r,, then cr*(£) modulo r is 

also ct!j, so the residue class of 7r modulo r is nf=i a »- Furthermore, the residue 
class of ttw modulo r is n?=i a i- If we choose £ to satisfy 

UUi <*i = 1 e F r , (2.4) 

we find 7r = 1 (mod r) and thus N k /q(tt — 1) =. (mod r). By choosing £ such 
that in addition 

c-n-£i«. = n-4+i«i (2.5) 

is a primitive fc-th root of unity in F*, we guarantee that tttt — q is a primitive 
fc-th root of unity modulo r. Thus we can try to find a Weil number as in 
Proposition 2.1 by picking residue classes ca € F* for i = 1, . . . , 2g meeting the 
two conditions above, computing some 'small' lift £ e Ok with (£ mod ti) — on, 
and testing whether 7r = nf=i 0-4 (0 nas P r i me norm. As numbers of moderate 
size have a high probability of being prime by the prime number theorem, a small 
number of choices {ai)i should suffice. There are (r — l) 2g ~ 2 <f(k) possible choices 
for (oi)^E. 1 , where <p is the Eulcr totient function, so for g > 1 and large r we are 
very likely to succeed. For 5 = 1, there are only a few choices {ot\, 0:2) = (1, C)> 
but one can try various lifts and thus recover what is known as the Cocks-Pinch 
algorithm [2, Theorem 4.1] for finding pairing-friendly elliptic curves. □ 

For arbitrary CM-fields K, the appropriate generalization of the map 

in Example 2.3 is provided by the type norm. A CM-type of a CM-field K of 
degree 2g is a set # = {4>i, • • • , 4> g } of embeddings of K into its normal closure L 
such that <P U <P = {(pi, . . . , <f> g , <fii, . . . , 4> g } is the complete set of embeddings of 
K into L. The type norm N$ : K — > L with respect to <P is the map 

N*:x>-+ RUM*), 

which clearly satisfies 

N 9 {x)N^x) = N k /q(x) g Q. (2.6) 

If K is not Galois, the type norm N$ does not map K to itself, but to its reflex 
field K with respect to <P. To end up in K, we can however take the type norm 
with respect to the reflex type IP, which we will define now (cf. [9, Section 8]). 
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Let G be the Galois group of L/Q, and H the subgroup fixing K. Then the 2g 
left cosets of H in G can be viewed as the embeddings of K in L, and this makes 
the CM-type <P into a set of <? left cosets of H for which we have G/H — <P U <P. 
Let S 1 be the union of the left cosets in and put S = {c^ 1 : o G S}. Let 
= {7 e G : 7S = S} be the stabilizer of S in G. Then H defines a subfield £ 
of L, and as we have H — {7 G G : 1S7 = S 1 } we can interpret S* as a union of 
left cosets of H inside G. These cosets define a set of embeddings & of K into L. 
We call K the reflex field of (-KT, <£) and we call \P the reflex type. 

Lemma 2.7. TTie /je/d K is a CM-field. It is generated over Q by the sums 
^2^0 (t>(x) for x G K, and \P is a CM-type of K. The type norm N<p maps K 

to k. 

Proof. The first two statements are proved in [9, Chapter II, Proposition 28] 
(though the definition of H differs from ours, because Shimura lets G act from 
the right). For the last statement, notice that for 7 e H, we have -fS = S, so 

A CM-type $ of K is induced from a CM-subfield K' d K \i it is of the 
form = {(p : <j>\ K > e <&'} for some CM-type <P' of K' . In other words, # is 
induced from K' if and only if S as above is a union of left cosets of Gal(L/K'). 
We call # primitive if it is not induced from a strict subfield of K; primitive 
CM- types correspond to simple abelian varieties [9] . Notice that the reflex type 
& is primitive by definition of K, and that (K, <P) is induced from the reflex of 
its reflex. In particular, if <P is primitive, then the reflex of its reflex is (K, <P) 
itself. For K Galois and $ primitive we have K = K, and the reflex type of & is 
^ = {(f)- 1 : <p e $}. 

For CM-fields K of degree 2 or 4 with primitive CM-types, the reflex field K 
has the same degree as K. This fails to be so for g > 3. 

Lemma 2.8. If K has degree 2g, then the degree of K divides 2 9 gl. 

Proof. We have K = K (y/rj), with Ko totally real and r\ e K totally negative. 
The normal closure L of K is obtained by adjoining to the normal closure Kq 
of Kq, which has degree dividing g\, the square roots of the g conjugates of 77. 
Thus L is of degree dividing 2 9 gl, and K is a subfield of L. □ 

For a 'generic' CM field K the degree of L is exactly 2 9 g\, and if is a field of 
degree 2 9 generated by y/n{ff), with a ranging over Gal(.Ko/Q). 

From (2.6) and Lemma 2.7, we find that for every £ e Of>, the element 
7r = iVflf(£) is an element of Ok that satisfies irW e Z. To make tt satisfy the 
conditions of Proposition 2.1, we need to impose conditions modulo r on £ in K . 
Suppose r splits completely in K, and therefore in its normal closure L and in 
the reflex field K with respect to <P. Pick a prime *K over r in i, and write 

= -0 _1 (9l) l~l O k for ip e^. Then the factorization of r in 0^ is 

r0i? = rWW (2-9) 
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Theorem 2.10. Let (K,<P) be a CM-type and (K,^) its reflex. Let r = 1 
(mod k) be a prime that splits completely in K , and write its factorization in 
O k as in (2.9). Given £ <E O k , write (£ mod r^,) = G F r and (£ mod r^T) = 
G F r for tp etf. Lf we have 

U^ a ^ = 1 and Pl> = C (2-11) 

for some primitive k-th root of unity £ G F* 7 then ir — N&(£) G Ok satisfies 
7T7f G Z and 

Nk/q(7t-1) = (modr), 
<?fc(7T7f) = (mod r). 

Proof. This is a straightforward generalization of the argument in Example 2.3. 
The conditions (2.11) generalize (2.4) and (2.5), and imply in the present context 
that 7r — 1 G Ok and <Pk{^) G Z arc in the prime 9t C Ol over r that underlies 
the factorization (2.9). □ 

If the element 7r in Theorem 2.10 generates K and N^/q(7t) is a prime q that 
is unramified in if, then by Lemma 2.2 ir is a q-Weil number corresponding to 
an ordinary abelian variety A over F = F q with endomorphism algebra if and 
Frobenius element -k. By Proposition 2.1, A has embedding degree k with respect 
to r. This leads to the following algorithm. 

Algorithm 2.12. 

Input: a CM-ficld if of degree 2g > 4, a primitive CM-type <L> of if, a positive 
integer fc, and a prime r = 1 (mod fc) that splits completely in if. 

Output: a prime q and a g-Weil number tt G if corresponding to an ordinary, 
simple abelian variety A/¥ q with embedding degree k with respect to r. 

1. Compute a Galois closure L of K and the reflex (K,<P) of (if, <?). Set 5 <— 

i degif and write = {tpi,ip2, ■ ■ ■ , ipg}- 

2. Fix a prime $K | r of Ol, and compute the factorization of r in O k as in 
(2.9). 

3. Compute a primitive /c-th root of unity ( e F*. 

4. Choose random ai, . . . , aj-i, • ■ • , G F*. 

5. Set a 5 <- nf=i e F* and /% <- dlti e F *- 

6. Compute £ G O k such that (£ mod t,^) = a, and (£ mod r^J = for 
i = 1,2, ... ,5. 

7. Set g <— Ngyg(£). If q is not prime, go to Step (4). 

8. Set 7r <— N&(£). If g is not unramified in if, or 7r does not generate if, go to 
Step (4). 

9. Return q and n. 

Remark 2.13. We require g > 2 in Algorithm 2.12, as the case g = 1 is already 
covered by Example 2.3, and requires a slight adaptation. 

The condition that r be prime is for simplicity of presentation only; the 
algorithm easily extends to square-free values of r that are given as products of 
splitting primes. Such r are required, for example, by the cryptosystem of [1]. 
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3 Performance of the algorithm 



Theorem 3.1. // the field K is fixed, then the heuristic expected run time of 
Algorithm 2.12 is polynomial in logr. 

Proof. The algorithm consists of a precomputation for the field K in Steps (1)- 
(3), followed by a loop in Steps (4)-(7) that is performed until an element £ is 
found that has prime norm A^/q(£) = q, and we also find in Step (8) that q is 
unramified in K and the type norm 7r = Ny{£) generates K. 

The primality condition in Step (7) is the 'true' condition that becomes 
harder to achieve with increasing r, whereas the conditions in Step (8), which 
are necessary to guarantee correctness of the output, are so extremely likely to 
be fulfilled (especially in cryptographic applications where K is small and r is 
large) that they will hardly ever fail in practice and only influence the run time 
by a constant factor. 

As £ is computed in Step (6) as the lift to O^. of an element £ € / r @K — 
(F r ) 29 , its norm can be bounded by a constant multiple of r 29 . Heuristically, 
q = N|^q(£) behaves as a random number, so by the prime number theorem it 
will be prime with probability at least (2<7logr) _1 , and we expect that we need 
to repeat the loop in Steps (4)-(7) about 2glogr times before finding £ of prime 
norm q. As each of the steps is polynomial in logr, so is the expected run time 
up to Step (7) , and we are done if we show that the conditions in Step (8) are 
met with some positive probability if K is fixed and r is sufficiently large. 

For q being unramified in K, one simply notes that only finitely many primes 
ramify in the field K (which is fixed) and that q tends to infinity with r, since 
r divides N x/Q (7r - 1) < (^/q + l) 29 . 

Finally, we show that 7r generates K with probability tending to 1 as r tends 
to infinity. Suppose that for every vector v £ {0, l} 9 that is not all or 1, we 
have 

nL(«i/Ar^i. (3.2) 

This set of 2 9 — 2 (dependent) conditions on the 2<? — 2 independent random 
variables on , ft for 1 < i < g is satisfied with probability at least 1 — (2 9 — 2)/ (r — 
1). For any automorphism <f> of L, the set ^otf is a CM-type of K and there is a 
v G {0, l} 9 such that Vi = if 4>o contains ipi and Vi = 1 otherwise. Then on is 
(V>;(0 mod OK), while ft is (^(f) mod 9t), so (tt/^tt) mod JK) is IlLi_(^/ft)"*- 
By (3.2), if this expression is 1 then f = 0orf = l,so(/>oi/ = i'or</>oij r = i£ r , 
which by definition of the reflex is equivalent to <f> or <f> being trivial on K, i.e., 
to (j) being trivial on the maximal real subficld Kq. Thus if (3.2) holds, then 
<j)(ir) — 7r implies that <f> is trivial on K 0} hence K n C Q(7r). Since it G K is not 
real (otherwise, q = ir 2 ramifies in K), this implies that K = Q(w). □ 

In order to maximize the likelihood of finding prime norms, one should min- 
imize the norm of the lift £ computed in the Chinese Remainder Step (6). This 
involves minimizing a norm function of degree 2g in 2g integral variables, which 
is already infeasible for g = 2. 
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In practice, for given r, one lifts a standard basis of R /rO R = (F r ) 2 ^ to 
O r . Multiplying those lifts by integer representatives for the elements on and f3i 
of F r , one quickly obtains lifts £. We also choose, independently of r, a Z-basis 
of O r consisting of elements that are 'small' with respect to all absolute values 
of K. We translate £ by multiples of r to lie in rF, where F is the fundamental 
parallelotope in K <g) R consisting of those elements that have coordinates in 
(—212] w ^ n res P ec t to our chosen basis. 

If we denote the maximum on F n K of all complex absolute values of K by 
Mg, we have q = A^ /Q (0 < (rMg) 2 ®. For the p-value (1.1) we find 

p<2gg{l + \ogM R /\ogr), (3.3) 

which is approximately 2gg if r gets large with respect to M R . We would like 
p to be small, but this is not what one obtains by lifting random admissible 
choices of £. 

Theorem 3.4. If the field K is fixed and r is large, we expect that (1) the 
output q of Algorithm 2.12 yields p w 2gg, and (2) an optimal choice o/£ <E O r 
satisfying the conditions of Theorem 2.10 yields p~2g. 

Open problem 3.5. Find an efficient algorithm to compute an element £ G 
O r satisfying the conditions of Theorem 2.10 for which p w 2g. 

We will prove Theorem 3.4 via a series of lemmas. Let H r j- be the subset of 
the parallelotope rF C K <g) R consisting of those £ £ rF flO^ that satisfy the 
two congruence conditions (2.11) for a given embedding degree k. Heuristically, 
we will treat the elements of H r ^ as random elements of rF with respect to 
the distributions of complex absolute values and norm functions. We will also 
use the fact that, as K is totally complex of degree 2g, the R-algebra K ® R is 
naturally isomorphic to C 9 . We assume throughout that g > 2. 

Lemma 3.6. Fix the field K . Under our heuristic assumption, there exists a 
constant C\ > such that for all e > 0, the probability that a random £ G H r ,k 
satisfies q < r 2 ®~ £ ) is less than Cir~ £ . 

Proof. The probability that a random £ lies in the set V = {z e : Yl\zi\ 2 < 
r 2(?-e) } p| r p i s the quotient of the volume of V by the volume 2~§ \f\A~\r 2 Q of 

rF, where A R is the discriminant of K. Now V is contained inside W = {z e 

C ? : IIN 2 < r 2 ®- £ ), \ Zi \ < rM R }, which has volume 



(2tt)» / H\ Xi \dx < 




= (2irM R yr 2 3- £ , 



xelO.rM-^] 9 xe[0,rM^] 9 

nb,i 2 <r 2< »- e) 

so a random £ lies in V with probability less than {ATTM R )Q\A R \~ 1 / 2 r~ £ . □ 
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Lemma 3.7. There exists a number Q^, depending only on K, such that for 
any positive real number X < rQ^, the expected number of £ € H ri k with all 
absolute values below X is 

y(fc)(27r)g X 2 9 
\A~\ r*~' 

Proof. Let > be a lower bound on K \ F for the maximum of all complex 
absolute values, so the box Vx C K ® R consisting of those elements that 
have all absolute values below X lies completely inside {X/Q^)F C rF. The 
volume of Vx in K <g> R is (ttX 2 ) 9 , while rF has volume 2^ yJ\A^\r 2 ^ . The 
expected number of £ € i? r ,fc satisfying |£| < X for all absolute values is #H r _ k = 
r 2 Q~ 2 ip(k) times the quotient of these volumes. □ 

Lemma 3.8. Fix the field K . Under our heuristic assumption, there exists a 
constant C2 such that for all positive e < 2g — 2, if r is sufficiently large, then 
we expect the number of £ G H r ^ satisfying N^,q(^) < r 2+£ to be at least c 2 r £ . 

Proof. Any £ as in Lemma 3.7 satisfies -^jj/q(£) < X 2g , so we apply the lemma 
to X = rt L /y +e / 2 9\ which is less than rQ^ for large enough r and e < 2g — 2. □ 

Lemma 3.9. Fix the field K . Under our heuristic assumption, for all e > 0, if 
r is large enough, we expect there to be no £ e H r ^ satisfying -^VjJ/q(£) < r 2 ~ £ . 

Proof. Let O be the ring of integers of the maximal real subficld of K . Let U 
be the subgroup of norm one elements of O* . We embed U into R 9 by mapping 
u € U to the vector l(u) of logarithms of absolute values of u. The image is a 
complete lattice in the (g— l)-dimcnsional space of vectors with coordinate sum 
0. Fix a fundamental parallclotopc F 1 for this lattice. Let £o be the element of 
H Ty k of smallest norm. Since the conditions (2.11), as well as the norm of £o> 
are invariant under multiplication by elements of U, we may assume without 
loss of generality that Z(£o) is inside F' + C(l, . . . , 1). Then every difference of 
two entries of ?(£o) is bounded, and hence every quotient of absolute values of 
£o is bounded from below by a positive constant C3 depending only on K. In 
particular, if m is the maximum of all absolute values of £0, then Ngyq(£) > 
(03m) 29 . Now suppose £0 has norm below r 2 ~ £ . Then all absolute values of £0 are 
below X = r( 1 /y~ £ / 2 9} / C3, and X < rQ g for r sufficiently large. Now Lemma 
3.7 implies that the expected number of £ € H r j~ with all absolute values below 
X is a constant times r~ e , so for any sufficiently large r we expect there to be 
no such £, a contradiction. □ 

Proof (of Theorem 3.4-)- The upper bound p < 2gg follows from (3.3). Lemma 
3.6 shows that for any e > 0, the probability that p is smaller than 2gg — e tends 
to zero as r tends to infinity, thus proving the lower bound p > 2gg. Lemma 3.8 
shows that for any e > 0, if r is sufficiently large then we expect there to exist a 
£ with p-value at most 2g + e, thus proving the bound p < 2g. Lemma 3.9 shows 
that we expect p > 2g — e for the optimal £, which proves the bound p > 2g. □ 
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For very small values of r we are able to do a brute-force search for the smallest q 
by testing all possible values of a\ , . . . , a£_ i , (5\ , . . . , (^j^ i in Step 4 of Algorithm 
2.12. We performed two such searches, one in dimension 2 and one in dimension 3. 
The experimental results support our heuristic evidence that p ~ 2g is possible 
with a smart choice in the algorithm, and that p ~ 2gg is achieved with a 
randomized algorithm. 

Example 3.10. Take K = Q(C 5 ), and let <P = {>i,0 2 } be the CM-type of K 
defined by ^(Cs) = e 27rm / 5 . We ran Algorithm 2.12 with r = 1021 and k = 2, 
and tested all possible values of ct\, The total number of primes q found was 
125578, and the corresponding p- values were distributed as follows: 



25 000 
20000 
15 000 
10000 
5000 



250 r 

200 
150 




The smallest q found was 2023621, giving a p-value of 4.19. The curve over 
F = F q for which the Jacobian has this p- value is y 2 = x 5 + 18, and the number 
of points on its Jacobian is 4092747290896. 



Example 3.11. Take K = Q(C 7 ), and let <P = {<j) 1 , 



(f> 3 } be the CM-type of 

K defined by <^(C 7 ) = e 27 ™/ 7 '. We ran Algorithm 2.12 with r = 29 and k = 4, and 
tested all possible values of a\, a 2 , pi, @2- The total number of primes q found 
was 162643, and the corresponding p-values were distributed as follows: 




The smallest q found was 911, giving a p- value of 6.07. The curve over F = F q 
for which the Jacobian has this p- value is y 2 = £ 7 + 34, and the number of points 
on its Jacobian is 778417333. 

Example 3.12. Take K = Q(Cs), and let $ = {>i,<£ 2 } be the CM-type of K 
defined by <^(Cs) = e 27Ti/5 . We ran Algorithm 2.12 with r = 2 160 + 685 and 
k = 10, and tested 2 20 random values of a\,p\. The total number of primes q 
found was 7108. Of these primes, 6509 (91.6%) produced p- values between 7.9 
and 8.0, while 592 (8.3%) had p- values between 7.8 and 7.9. The smallest q found 
had 623 binary digits, giving a p-value of 7.78. 
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4 Constructing abelian varieties with given Weil numbers 

Our Algorithm 2.12 yields g-Weil numbers 7r € K that correspond, in the sense 
of Honda and Tate [10], to isogeny classes of ordinary, simple abelian varieties 
over prime fields that have a point of order r and embedding degree k with 
respect to r. It does not give a method to explicitly construct an abelian variety 
A with Frobenius it G K. In this section we focus on the problem of explicitly 
constructing such varieties using complex multiplication techniques. 

The key point of the complex multiplication construction is the fact that 
every ordinary, simple abelian variety over F = F q with Frobenius n e K arises 
as the reduction at a prime over q of some abelian variety Aq in characteristic 
zero that has CM by the ring of integers of K. Thus if we have fixed our K as 
in Algorithm 2.12, we can solve the construction problem for all ordinary Weil 
numbers coming out of the algorithm by compiling the finite list of Q-isogeny 
classes of abelian varieties in characteristic zero having CM by Ok- There will be 
one Q-isogeny class for each equivalence class of primitive CM-types of K, where 
<P and <P' are said to be equivalent if we have <P — <P' o a for an automorphism 
a of K. As we can choose our favorite field K of degree 2g to produce abelian 
varieties of dimension g, we can pick fields K for which such lists already occur 
in the literature. 

From representatives of our list of isogeny classes of abelian varieties in char- 
acteristic zero having CM by Ok, we obtain a list A of abelian varieties over F 
with CM by Ok by reducing at some fixed prime q over q. Changing the choice of 
the prime q amounts to taking the reduction at q of a conjugate abelian variety, 
which also has CM by Ok and hence is F-isogenous to one already in the list. 

For every abelian variety A € A, we compute the set of its twists, i.e., all the 
varieties up to F-isomorphism that become isomorphic to A over F. There is at 
least one twist B of an element A e A satisfying #_B(F) = N K /q(tt — 1), and 
this B has a point of order r and the desired embedding degree. 

Note that while efficient point-counting algorithms do not exist for varieties of 
dimension g > 1, we can determine probabilistically whether an abelian variety 
has a given order by choosing a random point, multiplying by the expected order, 
and seeing if the result is the identity. 

The complexity of the construction problem rapidly increases with the genus 
g = [K : Q]/2, and it is fair to say that we only have satisfactory general methods 
at our disposal in very small genus. 

In genus one, we are dealing with elliptic curves. The j-invariants of elliptic 
curves over C with CM by Ok are the roots of the Hilbert class polynomial of K, 
which lies in Z[X}. The degree of this polynomial is the class number 1%k of K, 
and it can be computed in time 0(|Z\_r:|)- 

For genus 2, we have to construct abelian surfaces. Any principally polarized 
abelian surface is the Jacobian of a genus 2 curve, and all genus 2 curves are 
hyperelliptic. There is a theory of class polynomials analogous to that for elliptic 
curves, as well as several algorithms to compute these polynomials, which lie in 
Q[X]. The genus 2 algorithms are not as well-developed as those for elliptic 
curves; at present they can handle only very small quartic CM-fields, and there 
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exists no rigorous run time estimate. From the roots in F of these polynomials, 
we can compute the genus 2 curves using Mestre's algorithm. 

Any three-dimensional principally polarized abelian variety is isogenous to 
the Jacobian of a genus 3 curve. There are two known families of genus 3 curves 
over C whose Jacobians have CM by an order of dimension 6. The first fam- 
ily, due to Weng [14], gives hyperelliptic curves whose Jacobians have CM by 
a degree-6 field containing Q(i). The second family, due to Koike and Weng 
[5], gives Picard curves (curves of the form y 3 = f(x) with deg/ = 4) whose 
Jacobians have CM by a degree-6 field containing Q(Cs)- 

Explicit CM-theory is mostly undeveloped for dimension > 3. Moreover, 
most principally polarized abelian varieties of dimension > 4 are not Jacobians, 
as the moduli space of Jacobians has dimension 3g — 3, while the moduli space 
of abelian varieties has dimension g{g + l)/2. For implementation purposes we 
prefer Jacobians or even hyperelliptic Jacobians, as these are the only abelian 
varieties for which group operations can be computed efficiently. 

In cases where we cannot compute every abelian variety in characteristic zero 
with CM by Ok, we use a single such variety A and run Algorithm 2.12 for each 
different CM-type of K until it yields a prime q for which the reduction of A 
mod q is in the correct isogeny class. An example for K = Q(C2 P ) with p prime 
is given by the Jacobian of y 2 = x p + a, which has dimension g = (p — l)/2. 

5 Numerical examples 

We implemented Algorithm 2.12 in MAGMA and used it to compute examples 
of hyperelliptic curves of genus 2 and 3 over fields of cryptographic size for 
which the Jacobians are pairing-friendly. The subgroup size r is chosen so that 
the discrete logarithm problem in A[r] is expected to take roughly 2 80 steps. 
The embedding degree k is chosen so that r k / g w 1024; this would be the ideal 
embedding degree for the 80-bit security level if we could construct varieties over 
F = F q with #^4(F) w r. Space constraints prevent us from giving the group 
orders for each Jacobian, but we note that a set of all possible g-Weil numbers in 
K, and hence all possible group orders, can be computed from the factorization 
of q in K. 

Example 5.1. Let 77 = \/-2 + \/2 and let K be the degree-4 Galois CM field 
Q(ry). Let $ = {</>i,0 2 } be the CM type of K such that Im(^(r/)) > 0. We 
ran Algorithm 2.12 with CM type (K,<P), r = 2 160 - 16 79, and k = 13. The 
algorithm output the following field size: 

q = 31346057808293157913762344531005275715544680219641338497449500238872300350617165 \ 
40892530853973205578151445285706963588204818794198739264123849002104890399459807 \ 
463132732477154651517666755702167 (640 bits) 

There is a single F 9 -isomorphism class of curves over F q whose Jacobians have 
CM by Ok and it has been computed in [11]; the desired twist turns out to be 
C :y 2 = -x 5 + 3x 4 + 2x 3 - 6a; 2 -3x + l. The p-value of Jac(C) is 7.99. 
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Example 5.2. Let r\ = \f— 30 + 2\/5 and let if be the degree-4 non-Galois CM 

field Q(r]). The reflex field K is Q(w) where w = ^-15 + 2^55- Let f be the 
CM type of X such that Im(0j(j7)) > 0. We ran Algorithm 2.12 with the CM 
type (K, <£), subgroup size r = 2 160 — 1445, and embedding degree k = 13. The 
algorithm output the following field size: 

q = 11091654887169512971365407040293599579976378158973405181635081379157078302130927 \ 
51652003623786192531077127388944453303584091334492452752693094089192986541533819 \ 
35518866167783400231181308345981461 (645 bits) 

The class polynomials for K can be found in the preprint version of [13]. We 
used the roots of the class polynomials mod q to construct curves over F q with 
CM by Ok- As K is non-Galois with class number 4, there are 8 isomorphism 
classes of curves in 2 isogeny classes. We found a curve C in the correct isogeny 
class with equation y 2 = x 5 + a 3 x 3 + a 2 x 2 + a\x + a , with 

a 3 = 37909827361040902434390338072754918705969566622865244598340785379492062293493023 \ 

07887220632471591953460261515915189503199574055791975955834407879578484212700263 \ 

2600401437108457032108586548189769 
a 2 = 18960350992731066141619447121681062843951822341216980089632110294900985267348927 \ 

56700435114431697785479098782721806327279074708206429263751983109351250831853735 \ 

1901282000421070182572671506056432 
oi = 69337488142924022910219499907432470174331183248226721112535199929650663260487281 \ 

50177351432967251207037416196614255668796808046612641767922273749125366541534440 \ 

5882465731376523304907041006464504 
a = 31678142561939596895646021753607012342277658384169880961095701825776704126204818 \ 

48230687778916790603969757571449880417861689471274167016388608712966941178120424 \ 

3813332617272038494020178561119564 

The p-value of Jac(C) is 8.06. 

Example 5.3. Let K be the degree-6 Galois CM field Q(C7), and let $ = 
{01, 02, 03 } be the CM type of K such that 0„(C 7 ) = e 27ri "/ 7 . We used the 
CM type (K, <P) to construct a curve C whose Jacobian has embedding degree 
17 with respect to r = 2 180 — 74 27. Since K has class number 1 and one equiva- 
lence class of primitive CM types, there is a unique isomorphism class of curves 
in characteristic zero whose Jacobians are simple and have CM by K; these 
curves are given by y 2 = x 7 + a. Algorithm 2.12 output the following field size: 

q = 15755841381197715359178780201436879305777694686713746395506787614025008121759749 \ 
72634937716254216816917600718698808129260457040637146802812702044068612772692590 \ 
77188966205156107806823000096120874915612017184924206843204621759232946263357637 \ 
19251697987740263891168971441085531481109276328740299111531260484082698571214310 \ 
33499 (1077 bits) 

The equation of the curve C is y 2 — x 7 + 10. The p-value of Jac(C) is 17.95. 

We conclude with an example of an 8-dimcnsional abelian variety found using 
our algorithms. We started with a single CM abelian variety A in characteristic 
zero and applied our algorithm to different CM-types until we found a prime q 
for which the reduction has the given embedding degree. 



13 



Example 5.4. Let K = Q(Ci7)- We set r = 1021 and k = 10 and ran Algorithm 
2.12 repeatedly with different CM types for K . Given the output, we tested the 
Jacobians of twists of y 2 = x 17 + 1 for the specified number of points. We found 
that the curve y 2 = x 17 + 30 has embedding degree 10 with respect to r over the 
field F of order 

q = 6869603508322434614854908535545208978038819437. 

The CM type was 

<P = { 01, 03, 05, 06,08,010,013, 015}, 

where 0„(Ci?) = e 27rm / 17 . The p-value of Jac(C) is 121.9. 
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